Build and push image📦 #42

Summary
Jobs
- build
Run details
- Usage
- Workflow file

Workflow file for this run

	name: Build and push image📦

	on:
	workflow_dispatch:
	# schedule:
	# - cron: "00 12 1 * *"
	# push:
	# branches: ["main"]

	env:
	REGISTRY: ghcr.io
	IMAGE_NAME: ${{ github.repository }}
	APP_VERSION: 1.27.4

	jobs:
	build:
	if: github.actor == 'ammnt'
	runs-on: ubuntu-latest
	permissions:
	contents: write
	packages: write
	id-token: write
	security-events: write
	attestations: write

	steps:
	- name: Checkout repository🧱
	uses: actions/[email protected]

	- name: Install cosign🔒
	uses: sigstore/[email protected]

	- name: Setup Docker buildx🛠️
	uses: docker/[email protected]

	- name: Log into GHCR🔑
	uses: docker/[email protected]
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Log into Docker Hub🔑
	uses: docker/[email protected]
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Extract Docker metadata🔬
	id: meta
	uses: docker/[email protected]
	with:
	images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

	- name: Build the Docker image⛓️
	id: build
	uses: docker/[email protected]
	with:
	provenance: false
	context: .
	platforms: linux/amd64
	load: ${{ github.event_name != 'pull_request' }}
	tags: ${{ github.repository }}:${{ env.APP_VERSION }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=gha
	cache-to: type=gha,mode=max

	- name: Analyze image with Docker Scout💊
	uses: docker/[email protected]
	with:
	command: cves,sbom
	image: ${{ github.repository }}:${{ env.APP_VERSION }}
	sarif-file: sarif.output.json
	summary: false

	- name: Upload Docker Scout report📊
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: sarif.output.json

	- name: Analyze image with Trivy💊
	uses: aquasecurity/[email protected]
	with:
	image-ref: ${{ github.repository }}:${{ env.APP_VERSION }}
	scan-type: image
	format: "github"
	output: "dependency-results.sbom.json"
	severity: "MEDIUM,HIGH,CRITICAL"
	scanners: "vuln"
	github-pat: ${{ secrets.GH_TOKEN }}

	- name: Upload Trivy report📊
	uses: actions/[email protected]
	with:
	name: trivy-sbom-report
	path: "${{ github.workspace }}/dependency-results.sbom.json"
	retention-days: 20

	- name: Analyze image with Grype💊
	id: anchore
	uses: anchore/[email protected]
	with:
	image: ${{ github.repository }}:${{ env.APP_VERSION }}
	fail-build: false
	severity-cutoff: critical

	- name: Upload Grype report📊
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: ${{ steps.anchore.outputs.sarif }}

	- name: Analyze image with Syft💊
	uses: anchore/[email protected]
	with:
	syft-version: v1.13.0
	image: ${{ github.repository }}:${{ env.APP_VERSION }}
	artifact-name: image.spdx.json
	dependency-snapshot: false

	- name: Analyze image with Snyk💊
	continue-on-error: true
	uses: snyk/actions/docker@master
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	image: ${{ github.repository }}:${{ env.APP_VERSION }}
	args: --file=Dockerfile

	- name: Upload Snyk report📊
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: snyk.sarif

	- name: Analyze image with Clair💊
	run: \|
	docker run -d --name db arminc/clair-db
	sleep 15
	docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan
	sleep 1
	DOCKER_GATEWAY=$(docker network inspect bridge --format "{{range .IPAM.Config}}{{.Gateway}}{{end}}")
	wget -qO clair-scanner https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 && chmod +x clair-scanner
	./clair-scanner --ip="$DOCKER_GATEWAY" ${{ github.repository }}:${{ env.APP_VERSION }} \|\| exit 0

	- name: Slim the Docker image🚀
	uses: kitabisa/[email protected]
	env:
	DSLIM_HTTP_PROBE: false
	with:
	target: ${{ github.repository }}:${{ env.APP_VERSION }}
	tag: ${{ github.repository }}:${{ env.APP_VERSION }}
	overwrite: true

	- name: Explore the Docker image with Dive🔍
	timeout-minutes: 2
	env:
	CI: true
	run: \|
	wget -q https://github.com/wagoodman/dive/releases/download/v0.12.0/dive_0.12.0_linux_amd64.tar.gz
	tar xvzf dive_0.12.0_linux_amd64.tar.gz -C /usr/local/bin
	dive --ci-config "${{ github.workspace }}/.dive-ci/" ${{ github.repository }}:${{ env.APP_VERSION }}

	- name: Test the Docker image🧪
	run: \|
	docker run -d --rm -p 127.0.0.1:8080:8080/tcp ${{ github.repository }}:${{ env.APP_VERSION }}
	curl -v http://127.0.0.1:8080 \|\| exit 1

	- name: Push the Docker images to registries💾
	run: \|
	docker tag ${{ github.repository }}:${{ env.APP_VERSION }} ${{ github.repository }}:latest
	docker tag ${{ github.repository }}:${{ env.APP_VERSION }} ammnt/freenginx:${{ env.APP_VERSION }}
	docker tag ${{ github.repository }}:${{ env.APP_VERSION }} ammnt/freenginx:latest
	docker push ${{ github.repository }}:${{ env.APP_VERSION }}
	docker push ammnt/freenginx:${{ env.APP_VERSION }}
	docker push ${{ github.repository }}:latest
	docker push ammnt/freenginx:latest
	DIGEST=$(docker images --no-trunc --quiet ${{ github.repository }}:${{ env.APP_VERSION }})
	echo "DIGEST=$DIGEST" >> $GITHUB_ENV

	- name: Attestation the Docker image📍
	uses: actions/[email protected]
	with:
	subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
	subject-digest: ${{ env.DIGEST }}
	push-to-registry: false

	- name: Sign the published Docker image🔐
	env:
	COSIGN_EXPERIMENTAL: "true"
	run: \|
	cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ env.DIGEST }}
	cosign sign docker.io/${{ env.IMAGE_NAME }}@${{ env.DIGEST }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build and push image📦 #42

Workflow file

Build and push image📦 #42

Jobs

Run details

Workflow file for this run